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ABSTRACT 



A secure method for distributing a random cryptographic 
key with reduced data loss. Traditional quantum key distri- 
bution systems employ similar probabilities for the different 
communication modes and thus reject at least half of the 
transmitted data. The invention substantially reduces the 
amount of discarded data (those that are encoded and 
decoded in different communication modes e.g. using dif- 
ferent operators) in quantum key distribution without com- 
promising security by using significantly different probabili- 
ties for the different communication modes. Data is 
separated into various sets according to the actual operators 
used in the encoding and decoding process and the error rate 
for each set is determined individually. The invention 
increases the key distribution rate of the BB84 key distri- 
bution scheme proposed by Bennett and Brassard in 1984. 
Using the invention, the key distribution rate increases with 
the number of quantum signals transmitted and can be 
doubled asymptotically. 

25 Claims, 7 Drawing Sheets 
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FIG. 3A 
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QUANTUM CRYPTOGRAPHIC SYSTEM 
WITH REDUCED DATA LOSS 

STATEMENT OF GOVERNMENTAL INTEREST 

This invention was made with Government support under 
Contract No. DE-FG02-90ER40542 awarded by the Depart- 
ment of Energy. The government has certain rights in the 
invention. 

BACKGROUND OF THE INVENTION 

a. Field of the Invention 

This invention relates to a secure method for distributing 
a random cryptographic bey using quantum mechanics for 
reducing data loss. 

b. Description of the Prior Art 

Cryptography is the art of providing secure communica- 
tion over insecure communication channels. In the second 
world war. Allied successes in breaking the ciphers of 
Germany and Japan played an important part in the outcome 
of the conflict. With the growth of computer networks for 
business transactions, there is an ever increasing need for 
encryption to ensure that this information cannot be obtained 
by an unauthorized third party. 

The security of a conventional crypro- system often relies 
on some previously shared random secret information (the 
€f key tt ). For this reason, secure key distribution is a funda- 
mental issue in cryptography. Unfortunately, classical cryp- 
tography provides no tools to guarantee the security of key 
distribution because, in principle, classical signals can be 
monitored passively, without the sender and receiver know- 
ing that eavesdropping has taken place. 

In quantum mechanics, however, a measurement is an 
active process that leads to the collapse of a wave fi.tnction. 
Measurements will, therefore, generally lead to disturbance. 
Consequently, eavesdropping on a quantum channel can be 
easily discovered by the legitimate users. The experimental 
feasibility of quantum key distribution has recently been 
demonstrated by sending dim light pulses through commer- 
cial optical fiber over a distance of 23 km (Nature 378, 
(1995) 449). 

In a well-known scheme for quantum key distribution 
proposed by Bennett and Brassard in 1984 ("BB84") 
("Quantum Key Distribution and Coin Tossing," by G H. 
Bennett and G. Brassard, in Proceedings of IEEE Interna- 
tional Conference on Computers, Systems and Signal 
Proceedings, Bangalore, India (IEEE, 1984), p. 175, and 
later modified and implemented in 'TBxperimental Quantum 
Cryptography," by C. H. Bennett et al., Journal ofCryptoU 
ogy 5, (1992) 3 and U.S. Pat. No. 5,307,410), the sender and 
the receiver each randomly and independently select one of 
the two non-commuting operators (communication modes) 
for each signal transmitted. They consequently communi- 
cate to determine which of the transmitted signals were 
encoded and decoded using the common operators (i.e., the 
same communication mode). The data that are encoded and 
decoded using different operators (i.e., different communi- 
cation modes) are immediately discarded. Since the two 
non-commuting operators are chosen independently by 
Alice and Bob with equal probability, on average, half of the 
data have to be discarded. Any improvement on the effi- 
ciency of quantum key distribution scheme by reducing the 
fraction of discarded data is, therefore, of great practical 
importance. 

PCT Patent Application WO 94/08409 and also "Bell's 
Inequality and Rejected-data Protocols for Quantum 
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Cryptography," Journal of Modem Optics 40, (1993) 1443 
by Barnett and Phoenix describe how those discarded data 
may be useful for detecting eavesdropping. However, those 
disclosures do not suggest or show the possibility of improv- 

5 ing the efficiency of BB84 by reducing the fraction of 
discarded data. Nor do they suggest assigning significantly 
different probabilities to different non-commuting operators 
used in transmission and reception. Note also that the 
preferred embodiment of the invention does not involve the 

10 analysis of the rejected data, which is the main thrust of 
these two disclosures. 

An article entitled **Quantum Cryptography,** by Bennett, 
Brassard and Ekert, Scientific American (Oct. 1992), p. 50, 
reviews ideas in this field. Related Patents are U.S. Pat. No. 

15 5,243,649 and U.S. Pat. No. 5,339,182. In particular, U.S. 
Par. No. 5243,649 describes an embodiment based on 
non-local correlations between a pair of photons (an EPR- 
pair) rather than single photons proposed in BB84. Similar 
ideas can be found in "Quantum Cryptography based on 

20 Bell's theorem," by Artur Ekert, Fhys. Rev., Lett, 67 ? (1991) 
661. Yet another embodiment of quantum key distribution 
has been proposed by Biham, Huttner and Mor in "Quantum . 
Cryptographic Networks based on Quantum Memories,* 1 
Los Alamos preprint archive quant-ph/9604021, 

25 Nevertheless, the possibility of irnproving the efficiency of 
quantum key distribution is never raised in any of those 
works. 

In summary, previous prior art systems employ similar 
probabilities for the different non-commuting operators 

30 (communication modes). Consequently, at least half of the 
data are rejected. Besides, the analysis of accepted dam 
(those that are encoded and decoded using the same 
operator) is naive. Only the average error rate is computed. 
A run is accepted whenever the average error rate is small 

35 Some eavesdropping attacks that can be readily detected by 
a more refined statistical analysis will easily pass such a 
naive test 

SUMMARY OF THE INVENTION 

40 

Briefly discussed, the invention assigns significantly dif- 
ferent probabilities for the different non-commuting opera- 
tors during both transmission and reception to reduce the 
fraction of discarded data and uses a refined analysis of 

45 accepted data to detect eavesdropping. Since the vast bulk of 
transmissions and receptions are done using a specific 
operator, the present invention greatly inuxoves the effi- 
ciency of quantum key distribution by drastically reducing 
the mount of rejected data (those that are encoded and 

50 decoded with different operators or coxnmunication modes). 
As the number of transmitted signal increases, the efficiency 
of the scheme asymptotically approaches 100%. This is in 
sharp contrast with the 50% limit set by prior art methods. 
The actual efficiency of the present scheme is, of course, 

55 limited by bom the number of transmitted signals and the 
intrinsic noise level of the quantum channel. 

The invention improves the efficiency of quantum key 
distribution at no cost to security. An irnportant feature of the 
invention is refined analysis of accepted data (those that are 

60 encoded and decoded with the same operator). The data is 
divided into separate sets according to the actual operators 
used in encoding and decoding and the error rate of each set 
is determined individually. The analysis of the accepted data 
alone is efficient and sufficient to guarantee the security of 

65 the improved scheme due to the invention, jn the prefare j^ 
embodiment of the inv ention, one accepts a run if, and only 
if, the error rate in each of thei separate sets of the accepted 
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data is smail.This type of refined analysis for accepted data without alteration, there is no way far the users to check 

leads ^Improved securit y even when imp lemented in the whether the carrier has been intercepted. 

original BB84~s5Teme.ZZ ' ~ - There is a physical law in quantum mechanics known as 

~~The invention will be further understood by reference to "no-cloning theorem", which states that quantum signals 

the followine drawines 5 caxauA be doned < A sin S le ^ ntum cannot te doned > bv 

the ronowing drawings. w K Wootters and W. H. Zurek, Nature 299, (1982) 802). 

DESCRIPTION OF THE DRAWINGS Certain pairs of physical properties are complementary in 

the sense that measuring a property in quantum mechanics 

FIG. 1A illustrates how horizontally polarized photons necessarily disturb the other. This statement, known as the 

pass straight through a vertically oriented calcite crystal. lQ Heisenberg uncertainty principle, does not refer merely to 

FIG. IB illustrates the deflection of vertically polarized the limitation of a particular measurement technology: It 

photons after passing through a vertically oriented calcite holds for all possible measurements. Therefore, passive 

crystal. wiretapping is strictly forbidden in any quantum mechani- 

FIG. 1C illustrates repoladzation at random in either the <*lly based cryptographic systems Any eavesdropping 

vertical or horizontal direction when diagonally polarized u attack ^ leave a ******* te transirntted signals, 

photons pass through a vertically oriented calcite crystal. ™* legitimate users can estimate the amount of eavesdrop- 

™~ /. .1.1 mi • ^t>t>o^ ping from the error rate in the transmission of the random 

FIG. 2is a table dlustratmg of the pnor art BB84 quantum £ S ^ m ^ be ^ ^ ^ 

key distribution scheme. mitted data and re-start the transmission. Otherwise, Alice 

FIG. 3A illustrates the results of a lucky eavesdropper, and Bob can use classical infonnation processing techniques 
Eve, who happens to choose the correct basis and is able to to reduce ^ 0 f information leaked to any eaves- 
read off the polarization accurately without disturbing the dropper to approximately zero, at the expense of shortening 
photon polarization, which is received by Bob. ^ length of meir keVi 

FIG. 3B illustrates the results of an unlucky eavesdropper, xhe uncertainty principle can be applied to design a 

Eve, who happens to choose the wrong basis, thereby ^ completely secure channel based on me quantum properties 

disturbing the photon polarization and leaving a trace in the 0 f tfg nt xh e smallest indivisible unit, or quantum, of light is 

signal which is detectable by Bob. the photon, which can be thought of as a tiny oscillating 

FIG. 4A illustrates schematically the sender's part of the electromagnetic field. The direction of the oscillation of the 

system that can be used to implement the preferred embodi- electric field is known as the photon's polarization, 

ment of the invention. 30 A prior art technique used to distinguish between hori- 

FIG. 4B illustrates schematically the receiver's part of the zontally and vertically polarized photons involves a verti- 

system that can be used to implement the preferred embodi- cally oriented calcite crystal 10, i.e., the crystal's optic axis 

ment of the invention. 26 is vertical (ie., along the Z^axis). As shown in FIG. 1A, 

FIG. 5 is a table illustrating the efficiency of the prior art horizontally polarized photons 12 pass straight through 14, 

BB84 technique which rejects 50% of the data on average. 35 whereas in FIG. IB vertically polanzed photons 16 are 

^. ^ * _ . . deflected to a different path 18. Notice that a photon ongi- 

ITC^isata^ ^ „ de tenr^toUy r o^d 

according to the preferred embodiment thereof, with the * t £ shifted ^ aiwtly , xhe law of 

fraction of rejected data tJiose belonging to cases (c) and qimtum m$ J^X if Tphoton polarized at 

(d)) being reduced to Ze (1-e). ^ some other 1 ^ KtidOD ente rs the crystal, however, it will have 

FIG. 7 is a table illustrating an example of an eavesdrop- some pro bability of going into either beam. It will then be 

ping attack using the intercept/resend method against the repolarized according to which beam it goes into and 

present invention. permanently forget its original polarization. The most ran- 

DETAILED DESCRIPTION OF THE dom behavior occurs whe . n P h * on to j? 1 *^* 1 * ttWay 

PREFERRED EMBODIMENT 45 between mese two directions, that is, at 45 or 135 degrees 

(See FIG. 1C). Such photons 20 are equally likely to go into 

During the course of this description, like numbers will be either beam 22 and 24, revealing nothing about their original 

used to identify like elements according to the different polarization and losing all memory of it after passing 

figures which illustrate the invention. through the calcite crystal 10. 

. ^ A ^ _ xr ^ x. - 50 Suppose Bob has been told in advance that a given photon 

A. Pnor Art Quantum Key Distribution Techniques ^ ^ Qne of ^ tWQ ^lon*- 

If two users, frequently referred to as "Alice" and **Bob*\ vertical (90 degrees) 16 or horizontal (0 degrees) 

possess shared random secret information (the "key"), they 12 — without being informed of the specific polarization, 

can, with provably security, make their messages in subse- Then he can reliably tell which direction by sending the 

quent communication totally unintelligible to an eavesdrop- 55 photon into an apparatus consisting of a calcite crystal 10 

per by using the well-known one-time-pad encryption. The and two detectors, such as photomultiplier tubes, that can 

safety can be guaranteed, however, only if the key is used record single photons. The vertically oriented calcite crystal 

once, and then discarded. Therefore, some means of distrib- 10 directs the incoming photon to the upper detector if it was 

uting a fresh cryptographic key is needed for provably horizontally polarized and to the lower detector if it was 

secure communication. 60 vertically polarized Such an apparatus is, however, useless 

Since all information, including a cryptographic key, is for distinguishing diagonal (45- or 135-degree) photons. In 
encoded in measurable physical properties of some object, order to distinguish between diagonal photons, one can use 
classical laws of physics leaves open the possibility of a similar apparatus that has been rotated 45 degrees from the 
passive eavesdropping: A passive wiretapper can simply original orientation. The rotated apparatus, in turn, is Use- 
make copies (clones) of the carder of information and read 65 less for distinguishing vertical from horizontal photons, 
off from those copies the value of the key. Since the original According to the uncertainty principle, these limitations 
carrier of information can be resent to the legitimate user apply not just to the particular measurement apparatus 
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described here but to any measuring device that one can (unannounced) measurement results for the remaining pho- 

possibly build. Rectilinear and diagonal polarizations are tons (which are transmitted and received in the same basis) 

complementary properties in the sense that measuring either should precisely be the original polarizations chosen by 

properties necessarily randomizes the other. In quantum Alice. Since the polarizations of those photons have never 

mechanics, these two properties are represented by two 5 been made public, they represent secret information shared 

non-commuting operators. Horizontally and vertically polar- between Alice and Bob. 

ized photons are "eigenstates" of one operator whereas G) Alice and Bob next test for eavesdropping by, for 

45-degree and 135-degree polarized photons are "eigen- exa ™P lc > pubUdy comparing and discarding ^ prepared 

^ n ^,»^f fu» rt tw and measured polarizations of a random subset of their 

states or the other. , ~ . „ ^. ft . ... 

10 photons. (In practice, only a small portion or the m photons 

B. The Prior Art BB84 Scheme nee<1 10 be discarded because Alice and Bob can figure out 

the error rate of the m photons by checking the parities of a 

A prior art scheme for quantum key distribution was small number of random subsets. For this reason, it is not 

proposed by Bennett and Brassard in 1984 ("BB84"). The necessary to subtract the contribution of m photons from the 

propose of BB84 is for two users, traditionally called Alice efficiency analysis in the paragraph C (Preferred Embodi- 

and Bob, to share a secret random key that can subsequently meM of the Invention). More concretely, the procedure may 

be used to send meaningful secret messages when needs g 0 as follows: Alice and Bob first decide on a maximal 

arise. BB84 uses a quantum channel, through which Alice tolerable error rate. Errors can occur due to either the 

and Bob send polarized photons, in conjunction with a intrinsic noise of the channel or eavesdropping attack by a 

classical public channel, through which they send ordinary 2Q third party, traditionally called Eve. With current 

messages. An eavesdropper, Eve, is free to try to measure the technology, the maximal tolerable error rate can be about 

photons in the quantum channel. However, as noted before, 3%. Alice and Bob choose randomly m photons from the 

the law of quantum mechanics dictates that she cannot in ones that are transmitted and received in the same basis. For 

general do this without disturbing the photons. Furthermore, eacn 0 f the m photons, Bob announces publicly his mea- 

she learns the entire contents of messages sent through the surement result, Alice tells Bob publicly whether his result 

public channel, but assume for the moment that she could j s me same as what she has originally prepared. They then 

not disturb or alter these messages. compute the error rate of the m photons. If the error rate is 

Alice and Bob use the public channel to discuss and larger than their prescribed tolerable error rate (say 3%), 

compare the signals sent through the quantum channel, they infer that either the channel is very noisy or substantial 

testing them for evidence of eavesdropping. If they find 30 eavesdropping has occurred. Therefore, they discard all their 

none, they can distill from their data a body of information data and start over with a fresh batch of photons. If the error 

that is certifiably shared, random and secret, regardless of rate is smaller than the prescribed tolerable error rate, they 

Eve's technical sophistication and the computing power at adopt the remaining polarizations, which have never been 

her disposal. As illustrated in the table of FIG. 2, the prior publicly mentioned, as secret bits, interpreting horizontal or 

art BB84 scheme operates as follows: 35 45-degree photons as binary O's and vertical or 135-degree 

A) Alice generates and sends Bob a sequence of photons photons as binary 1' s. (FIG. 2, row f). 

whose polarizations she has chosen at random to be either 0, As discussed previously, the acceptable error rate accord- 

45, 90 or 135 degrees. Alice does not tell anyone, including ing to the present state-of-the-art is about 3%. Because of 

Bob, the polarizations of her photons. (FIG. 2, row a). that, the polarization data of the photons are still only 

B) For each photon received, Bob measures its polariza- 40 partially secure. To eliminate the tiny amount of Mormation 
tion along either the rectilinear or diagonal basis with equal £ ve may have on their polarization data, Alice and Bob 
probability (FIG 2 row b) should ^ classical information techniques (such as 

^ S . , ' . , . . , . ... privacy amplification and error correction) to their impure 

Q Bob records hisd^osen basis (FIG. 2, row b.) and his ^ ^ ^ me of information leaked t0 my 

measurement results (FIG. 2, row c). ^ ^mdrapptx t0 approximately zero, at the expense of 

D) Bob announces publicly, for each photon, which basis shortening the length of their key. The shorter, but perfectly 
(i.e„ which type of measurement (FIG. 2, row b) he has secure, key can then be used in the subsequent encryption of 
chosen but not the measurement result. meaningful messages. A detailed procedure for privacy 

E) Alice tells Bob publicly, for each photon, whether he amplification and error correction can be found in **Experi- 
has made his measurement along the correct basis. (FIG. 2, ^ mental Quantum Cryptography," Journal of Cryptology 5, 
row d). (1992) 3, by C. H. Bennett et al. 

F) Alice and Bob then discard all cases in which Bob has The number m must be large enough (for example, 400) 
made the measurement along the wrong basis and keep only for a fairly accurate estimate of the error rate of the trans- 
the ones that Bob has made the measurement along the mission. The above comparison test acts as a "quality 
correct basis. (FIG. 2, row e). 55 control". If substantial eavesdropping has occurred, signifi- 

The two (rectilinear or diagonal) bases of polarizations cant error rates will almost surely been found in the corn- 
can be thought of as two distinct and incompatible commu- pari son of the polarization data of a random subset consist- 
nication modes. Messages that are encoded and decoded in ing of m photons. (See the next paragraph for a discussion.) 
the same mode can be read off unchanged, whereas those On the other hand, if a run passes the comparison test, then 
that are encoded and decoded in different mode would be 60 Alice and Bob can almost surely set a limit on the amount 
totally unintelligible. On average, half of the photons are of information that has leaked to an eavesdropper. Since the 
transmitted and received in different bases in BB84 and they polarization data of the m test photons have already been 
are, therefores discarded. The chief purpose of the present publicly announced, Alice and Bob must discard those data, 
invention is to reduce the amount of discarded data as By sacrificing only m photons, Alice and Bob can be sure of 
described in the preferred embodiment of the invention 65 the security of the polarization data of remaining photons. 
(Paragraph Q. Also, if no one has eavesdropped on the Consider an eavesdropping artack against the BB84 tech- 
quantum channel and the channel is noiseless, Bob's nique. Because of the uncertainty principle, an 
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eavesdropper, Eve, cannot measure both rectilinear and 
diagonal polarizations of the same photon. A priori Eve does 
not know which basis to use for each photon. One possible 
strategy is for Eve to choose randomly either the rectilinear 
or diagonal basis to measure the polarization of the photon, s 
If she is lucky enough to have chosen the basis along which 
the photon is originally polarized, she can read of its 
polarization without disturbing it. She can then resend the 
result of her measurement without being detected by Bob. 
For example, in FIG. 3A, if Alice is sending a horizontally 10 
polarized photon 12 and Eve is measuring using a vertically 
oriented 26 calcite crystal 10, then Eve can read off the 
polarization of the photon correctly 14 without disturbing it. 

If, for a particular photon. Eve has chosen to measure its 
polarization in a basis that is different from the one that it is 15 
originally polarized along, then the state of the photon will 
be disturbed. For example, in FIG. 3B, Alice is sending a 
horizontally polarized photon 12 and Eve is measuring along 
the diagonal basis by rotating the calcite crystal 10 so as to 
position its optic axis 30 45° relative to the z-axis 26. Eve 20 
will change the polarization of the photon 32 and 34 she has 
measured. Even if she resends Bob a photon consistent with 
the result of her measurement, she will have irretrievably 
randomized the polarization originally sent by Alice. The net 
effect of such an intercept/resend strategy along the two 25 
bases with equal probability is to cause errors in one quarter 
of the bits in Bob's data that have been subjected to 
eavesdropping. 

FIGS. 4A and 4B depict a quantum cryptographic appa- 
ratus that can be used with the preferred embodiment of the 
invention. The leftmost part of Alice's sending apparatus 54 
consists of a green light-emitting diode 36, a pinhole 38, a 
lens 40, an aperture 42, a color filter 44, and a polarizer 46 
that provide a collimated beam of horizontally polarized 
light 48. Electro-optic devices known as Pockels cells 50 are 35 
men used to change the original polarization of the photon 
to any of four standard polarization states under Alice's 
control. The photon is then sent to a quantum channel 52. 

At the other end of the quantum channel 52, Bob's ^ 
receiving apparatus 62 contains similar Pockels cells 50, 
which allow him to choose the type of polarization he will 
measure. After the beam passes through Bob's Pockels cells 
50, it is split by a calcite prism 10 into two perpendicularly 
polarized beams 56 and 58 which are directed into two 45 
photomultiplier tubes 60 for the purpose of detecting indi- 
vidual photons. 

The prototype depicted in FIGS. 4A and 4B uses faint 
light pulses instead of individual photons as required in 
BB84. This replacement gives rise to a new kind of eaves- 50 
dropping attack — the beamsplitter attack. These details are, 
however, irrelevant for our discussion. (See *Bxperimental 
Quantum Cryptography " Journal of Cryptology 5, (1992) 3, 
by C. H. Bennett et aL for details). 

C. The Preferred Embodiment of the Invention 55 

To understand the present invention, it is useful to exam- 
ine the efficiency of BB84. In FIGS. 5A-SD, the data is 
divided into four cases according to the bases chosen by 
Alice and Bob. Since Alice and Bob choose the two bases 60 
[rectilinear (+) and diagonal (x)] with equal probability, each 
of the four cases occurs with a probability V*. Notice that the 
data in cases 5C and 5D must be discarded because Bob has 
made the wrong measurement Therefore, 50% of the data 
are rejected for that reason. The present invention improves 65 
the efficiency of quantum key distribution by drastically 
reducing the amount of rejected data. BB84 is used as the 
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preferred embodiment and it will be shown, rather 
remarkably, that one can asymptotically double the effi- 
ciency of the original BB84 scheme by assigning unequal 
probabilities to the two bases. It will also be shown in 
paragraph D (Analysis of Accepted Data) below that the 
ability of detecting eavesdropping is not compromised by 
the present invention. 

The present invention, which significantly reduces the 
fraction of discarded data in BB84, is described as follows: 

A) For each photon, Alice chooses the recti linear and 
diagonal bases with unequal probabilities e and le where 
e^Vi She then chooses the two polarizations of a basis with 
equal probability. For example, e=0.1. The value of e is 
public and is, therefore, known to the eavesdropper. 
However, at this stage Alice does not tell anyone, including 
Bob, the actual polarization nor the basis that she has chosen 
for each photon. 

B) Bob also chooses to measure along the rectilinear and 
diagonal bases with unequal probabilities e' and 1-e'. In the 
preferred embodiment of the invention, e' is chosen to be 
equal to e. However, the invention applies to a general e'. 

Steps C), D) and E) are the same as in BB84. (See FIG. 
2). In other words, Bob records, for each photon, the basis 
used and the measurement result obtained. He announces 
publicly the basis but not the measurement result Alice then 
tells him whether he has performed the correct measurement 
(A correct measurement is one in which Alice and Bob use 
the same basis.) for each photon. 

F) Alice and Bob discard all data in which Bob has 
performed the wrong measurement (i.e, the ones in which 
Alice and Bob use different bases.) In the table of FIGS. 
6A-6D, one divides up the data into four cases according to 
the bases [rectilinear (+) or diagonal (x)] used by Alice and 
Bob. Notice that discarded data (those in which Alice and 
Bob use different bases) correspond to cases (c) and (d) in 
FIGS. 6C and 6D. Owing to the unequal probabilities 
assigned to the two bases, the fraction of rejected data is, on 
average, only 2e (1-e). For example, if e=0. 1, the fraction of 
discarded data is only 0.18 which is less than half of 0.5, the 
fraction of discarded data in BB84. Of course, one can 
reduce this fraction further by decreasing e. As will be 
discussed in the subsection "constraint on e", e^ v (m/N) 
where N is the number of transmitted photons and m is 
defined in step G) immediately below. 

G) Alice and Bob randomly select m photons from case 
(a) in the table of FIG. 6A to publicly compare and discard 
their polarization data. This would give an estimate of the 
error rate for case (a). Similarly, they randomly select m 
photons from case (b) in FIG. 6B to publicly compare and 
discard their polarization data. This would give an estimate 
of the error rate for case (b). The number m must be 
sufficiently large so that the m test photons give Alice and 
Bob a fairly accurate estimate of the error rate. For example, 
m=400. Alice and Bob must decide on the maximal tolerable 
error rate. With current technology, it can, for example, be 
3%. If at least one of the two error rates are larger than say 
3%, they infer that substantial eavesdropping might have 
occurred Therefore, Alice and Bob discard all the data and 
start over with a fresh batch of photons. It is only when error 
rates for both cases (a) and (b) in FIGS. 6A and 6B are small 
that they conclude that an eavesdropper, Eve, can have only 
very limited amount of information on the polarization data. 
Therefore, they adopt the remaining polarizations, which 
have never been publicly mentioned, as secret bits, inter- 
preting horizontal or 45-degree photons as binary 0's and 
vertical or 135-degree photons as binary Vs. To eliminate 
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the tiny amount of information that Eve may still hold, they separate error estimation to each set will lead to enhanced 

use classical information processing techniques such as security even for BB84. 

privacy amplification and error correction to their impure When the two communication modes (polarization bases) 

key to distill a shorter and perfectly secure key, which can are chosen with significantly different probabilities, as in the 

then be used for subsequent encryption of meaningful mes- 5 preferred emb<>diment of the invention, a refined analysis of 

sages. Details of privacy amplification and error correction the accepted data is much more powerful than a naive 

can be found in 'Experimental Quantum Cryptography," analysis in aetectmgeavesoxopping.To see this consider the 

Journal of CryptohgyS, (1992) 3, by C. H. Bennett et al. TO* naive data analysis in which one simply lumps all 

^ J ^ v j i j me ^ together an a computes a single error rate for the 

In practice, only a small portion of the photons needs to whole For foe ample iatercept/resend strategy 

be discarded because Alice and Bob can figure out the error w described aboy^me average error rate is fee 2 ^! (1-^) 2 R 

rate of the m photons by checking the panties of a small Suppose me mm i ma i tolerable error rate is again set to be 

number of random subsets. For this reason, the contribution 3% Wfth £=Q x Eye ^ choos& p „q md p ^ x ^ other 

of m photons to the efficiency is not subtracted in the above wofd ^ ^ me polarization of the photon 

discussion following step F). ^ ong ^ basis. The average error rate is only (p 2 

D Analvsis of Accepted Data e 2 ^ 1 (l-e) 2 ]/2=l%<3%. Such a strategy will defeat a naive 

01 Acce P tea uaw test Yct wiU gain a substantial amount of information 

It is useful to note mat an important element of the about Bob's measurement results as she is measuring along 

preferred embodiment of the invention is a more refined the basis in which the vast bulk of the transmissions are 

analysis of the accepted data. The idea is to divide the made. 

accepted data into different sets according to the actual basis jf t however, one had followed the teachings of the present 

used and perform separate error estimation to each set This invention to estimate the error rates of cases (a) and (b) 

is to be contrasted with the original BB84 scheme in which separately, one would have found the error rate for case (a) 

only the average error rate of the accepted data is computed, t0 be 50% which is far higher than the acceptable 3% error 

When implemented in BB84, this idea of refined accepted rate ^he whole run would, therefore, have been rejected in 

data analysis would give enhanced security. Moreover, it can ^ c correct prescription of the invention. In conclusion, an 

also be used to guarantee the security of the improved indispensable element of the preferred embodiment of the 

scheme presented in the preferred embodiment of the inven- invention is to further classify the acceptable data (those that 

tion. are transmitted and received in the same basis) into subcat- 

To understand why such a refined analysis of accepted 30 egories according to the actual basis used and estimate the 

data is useful, consider a simple intercept/resend eavesdrop- error rate for each subcategory individually. It is only when 

ping strategy adopted by Eve. In mis scenario, for each the error rates for all subcategories are small that one should 

photon, Eve measures its polarization along the rectilinear accept the run. This gives the invention extra power in 

and diagonal bases with probabilities p t and pj respectively. detecting eavesdropping beyond the naive scheme in which 

She records the result of her measurement and resends the 35 all the acceptable data are lumped together to Pennine a 

photon to Bob. With a probability l^) 1 -p 2 » Eve does single error rate. 

nothing to the photon. Suppose that Alice and Bob have Of course, Eve may use other eavesdropping strategies, 
decided that the acceptable error rate for each basis is only For instance, she may choose to measure the polarization of 
3%. Will Alice and Bob discover Eve's eavesdropping the photon in a basis midway between the rectilinear and 
attack? To make this determination, first calculate the error ^ diagonal bases with a probability p m . A simple exercise in 
rates for cases (a) and (b) as illustrated in the table of FIGS. quantum physics shows that this strategy introduces an error 
6Aand GB, respectively. In case (a), Alice and Bob both use ra te of 2p m cos 2 22.5°sin 2 22.5°=p n /4 to both cases (a) and 
the rectilinear basis and the error arises only when Eve is (b). The constraint that both error rates be no larger than 3% 
eavesdropping along the diagonal basis. (See the table in implies that Eve would better choose p m £ 12%. This is true 
FIG. 7A). Since Eve is doing so with a probability p 2 and her 45 for both BB84 and the improved scheme according to the 
measurement randomizes the polarization of the incoming invention. More generally, one can repeat the analysis made 
photons, the expected error rate of case (a) should be pJ2. in "Experimental Quantum Cryptography," C H. Bennett et 
By a similar argument, the expected error rate of case (b) al M lournal of Cryptology 5, (1992) 3 to show that any 
(See the table in FIG. 7B) should be p L /2. Therefore, for Eve realistic eavesdropping attach would introduce some char- 
to avoid being detected by the two users who compute the ^ acteristic error rates for cases (a) and (b) respectively and 
error rates of cases (a) and (b) separately according to the those error rates are independent of the probabilities 
invention, she has to choose p x and p 2 to satisfy the two assigned by Alice and Bob to the two bases (or equivalently, 
conditions p x ^6% and p 2 £ 6%. the value of e). Therefore, the foregoing analysis shows that 

How much mformation can Eve gain out of such an the improved scheme due to the invention presented here 

eavesdropping attack? Since Eve has performed the correct 55 must be as secure as BB84 against such attacks, 

measurement only with a probability 6%, the amount of H is important to note that, in some cases, the refined 

information she has on the raw key (ie., before privacy analysis of accepted data according to the current invention 

amplification and error correction) is only 6%. gives one more power in detecting eavesdroppers than the 

Notice that, in BB84, only the average error rate is refined analysis of discarded data proposed in PCT W094/ 

computed In that case, an acceptable average error rate of 60 08409 and "Bell's Inequality and Rejected-data Protocols 

3% implies a single constraint (p l 4p 2 )^12%. This is less for Quantum Cryptography" Journal of Modem Optics 40, 

stringent than the two constraints p^6% and p 2 ^6#> set by (1993) 1443. For instance, any refined analysis of rejected 

the invention. For instance, the case when p : =0 and p2=9% data is totally useless for detecting eavesdropping in the 

violates the second constraint and will be detected by the preferred embodiment of the invention if the eavesdropper is 

invention whereas it passes the naive test in BB84. 65 measuring the polarizations of photons along the rectilinear 

Therefore, the idea of dividing up accepted data into differ- and diagonal bases. The reason is the following: There are 

ent sets according to the actual basis used and performing only two bases in the preferred embodiment of the invention. 
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Since each photon in rejected data involves two bases, each (where N is the number of photons transmitted and m is the 

basis (rectilinear or diagonal) must be used by either Alice number of photons belonging to case (a) in FIG. 6A whose 

or Bob. An eavesdropper using either basis is simply mea- polarization data are compared and discarded for the testing 

suring along a basis that is used by either Alice or Bob. of eavesdropping). The case when ra is 400 and N is 100 

Dearly, no new error is introduced by such an innocent 5 million, for example, gives a hundredfold reduction in the 

measurement at all. Therefore, no anomalous error rate will fraction of discarded data. Besides, as illustrated by the 

show up in rejected data. This is in sharp contrast to the example N=10,000 in the last paragraph, the invention is 

significant increase in error rates for accepted data discussed useful even for rather modest number of transmitted pho- 

above. tons. In that case, the fraction of rejected data is reduced 

io from 50% in the prior art to 32%. That is to say, for 68% of 

E. Constraint on e ^ s £g na x s , the quantum mode of transmission matches the 

It is useful to recall that the two polarization bases quantum mode of reception. Moreover, the invention does 

(rectilinear and diagonal) are chosen by each of Alice and not compromise security as compared to the prior art BB84. 

Bob with probabilities e and 1-e. There is a constraint on e, in some cases, for example, when the eavesdropper is 

It must be large enough so that one can estimate the error ^ measuring the polarization of the photons along a single 

rate for case (a) reliably. Suppose the typical error rate is in basis, it even gives added security. Furthermore, the inven- 

the region 1-5% and one is transmitting 10,000 photons. In tion is extremely simple to implement: The only real big 

order to obtain a fairly accurate estimate of the error rate, it change is for the two users, Alice and Bob, to select the two 

would be desirable to compare and discard the polarization bases with unequal probabilities e and 1-e All Alice and 

data of say 400 photons that are transmitted and received 2 o Bob need is some biased coins which have a probability e of 

using the rectilinear bases (i.e., in case (a) of FIG. 6). being 'up* and 1-* of being 'down'. They can then decide 

Considering the expected number of photons belonging to on which basis to use, for each photon, by using the outcome 

case (a), one obtains 10,000e 2 ^400, i.e., e^O.2. For t=0.2, 0 f flipping one of such biased coins. More realistically, they 

the fraction of discarded data, 2c(l-*), is 32% as compared can use a true random number generator to do the same job. 

to 50% in the prior art BB84. In other words, the fraction of 25 As discussed above, Alice and Bob also have to divide up 

accepted data (for which the quantum mode of transmission their acceptable data into different sets according to the 

matches that of reception) is 68%. If one is transmitting actual basis used and perform separate statistical analysis to 

40,000 photons instead, it still suffices to test only 400 them, but this should be easy to implement as well, 

photons that are in case (a). So, one has 40,000e 2 ^400 and _ PTrkK ^. ntc 

may use any e^O.l For e=0.1, the fraction of rejected data 30 F " Einboaiments 

is reduced to 18%. In that case, the fraction of accepted data A key idea of the invention is to use significantly different 

(for which the quantum mode of transmission matches that probabilities for the different communication modes (or 

of reception) is 82%. If N is 100 million and one still tests non-commuting operators). This strategy can be adopted by 

only 400 photons, e can be as small as 0.2%. That is to say bom users, the sender and receiver, to reduce the fraction of 

that the fraction of discarded data 2e(l-c) can be as small as 35 rejected data because the vast bulk of the communication 

0.4%. This is a hundredfold reduction in the fraction of can be made with common operators, 

discarded data as compared to the 50% fraction in BB84. In the preferred embodiment of the invention, both Alice 

More generally, the constraint on e is that e£*(m/N) where and Bob choose the rectilinear and diagonal bases (quantum 

N is the number of photons transmitted and m is the number communication modes) with probabilities e and l-€. 

of photons belonging to case (a) in FIG. 6A whose polar- 40 However, as remarked in step B) an alternative embodiment 

ization data are compared and discarded for the testing of is to allow Alice and Bob to use different biases in choosing 

eavesdropping. Note that, for a fixed nuasN becomes larger the two bases. For instance, Alice chooses the rectilinear and 

and larger, e can be made smaller and smaller. It asymptoti- diagonal bases with probabilities a and 1-a while Bob 

cally approaches zero, but never quite reach it The fraction chooses the rectilinear and diagonal bases with probabilities 

of discarded data, as given by 2e(l-e) is also arbitrarily 45 b and 1-b where b can be different from a. Here, just like e, 

small in this limit. Notice that, so long as e^(m/N)« the a and b are made public and are both supposed to be small, 

security of the protocol is essentially independent of the Another embodiment of the invention is to choose the 

value of e. In other words, the invention gains efficiency various polarizations within the same basis (say the hori- 

without sacrificing security. zontal and vertical polarizations) with different probabilities. 

It is also to be understood that the invention is not 50 So long as the probability of using one basis is significantly 

restrictive to the case of a fixed m. For example, one may larger than the other, the scheme can still be efficient For 

imagine a cryptographic apparatus which allows the users to instance, Alice chooses the horizontal, vertical, 45- degree 

input the values of N and e Moreover, one can imagine that and 135-degree polarizations with probabilities p x , p 2 , p 3 

Alice and Bob publicly announce and change the value of e and p 4 (p 1 4p 2 4p 3 +p 4 =l) where p 3 +p 4 ^03 or =0.7. A 

during an operation. For instance, Alice and Bob can use 55 special case is one in which Alice chooses the horizontal, 

e =0.l for the first half of the signals and 0.9 for the second 45-degree and 135-degree polarizations with probabilities 

half of the signals. That is to say that while they predomi- 0. 1, 0.45 and 0.45 and Bob decodes along the rectilinear and 

nately use the diagonal basis for the first half of the diagonal bases with probabilities 0.2 and 0.8 respectively, 

transmission, the rectilinear basis is predominately used for The non-commuting operators are not restricted to the 

the second half of the transmission. They can separately 60 polarization of photons. For example, another embodiment 

analyze the data of two halves of the transmission. of the invention is to use the path taken by a photon rather 

The invention just described has distinctive advantages than its polarization to encode the information. A single- 
over prior art devices. It can drastically decrease the amount photon interference system is discussed in a manuscript 
of rejected data from 50% to 2« (1-e). For a typical 6=0.1, "Quantum Cryptography Using Any Two Non-orthogonal 
the latter is 18% and the fraction of accepted data is 82%. As 65 States", C H. Bennett, Phys. Rev. Lett. 68, (1992) 3121. 
discussed in the last paragraph, there is no priori limit to the This is an embodiment in which single photon signals are 
extent of this reduction. The only constraint is e^ v (m/N) analyzed through interferometry. 
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Yet, another embodiment of the invention is to use non- 
local correlations between photon pairs (the so-called EPR 
pairs) instead of single photons. See, for example, U.S. Pat 
No. 5,243,649. 

Furthermore, the invention can also be applied to the 5 
scheme proposed by Biham, Huttner and Mor in ''Quantum 
Cryptographic Network Based on Quantum Memories," Los 
Alamos preprint archive quanti)h/9604021, asymptotically 
doubling its efficiency. The idea is for the two users, Alice 
and Bob, to store up secretly prepared quantum memories i° 
that are "eigenstates" of non-commuting operators in a 
cryptographic key distribution center. The center then per- 
forms a measurement on the combined quantum state of a 
pair of particles, one from each user. Afterwards, the center 
sends the results of its measurements to the two users. 1 5 
Biham, Huttner and Mor have shown that this scheme is 
conceptually equivalent to BB84. 

There may also be complications and modifications in the 
ultimate implementation. As noted earlier, faint light pulses 
instead of ideal single photon pulses may be employed in the 20 
implementation of BB84 or the improved scheme according 
to the present invention. Moreover, the - invention can also 
be combined with a discarded data protocol such as dis- 
cussed in PCT Application No. WO94/08409. 

While the invention has been described with reference to 25 
the preferred and alternative embodiments thereof, it will be 
appreciated that various modifications can be made to the 
parts and methods mat comprise the invention without 
departing from the spirit and scope thereof. 3Q 

We claim: 

1. A cryptographic communication method employing at 
least two quantum communication modes comprising the 
steps of: 

producing a stream of quantum signals from a signal 35 
source; 

controlling and measuring the quantum modes of trans- 
mission of signals produced from said signal source to 
produce a transmitted stream of signals; 

measuring the quantum modes of reception of signals 40 
from said transmitted stream of signals such that the 
quantum mode of transmission matches the quantum 
mode of reception for at least 68 percent of the trans- 
mitted signals, 

wherein the amount of discarded data is substantially 45 
reduced. 

2. The method of claim 1 in which the quantum mode of 
transmission matches the mode of reception at least 82 
percent of the transmitted signals. 

3. The method according to claim 1 in which the trans- so 
mitter uses two quantum communication modes with prob- 
abilities a and 1— a respectively and the receiver uses two 
quantum communication modes with probabilities b and 1— b 
respectively, 

wherein a, b^0.8. 55 

4. The method of claim 1 in which the signals are photons 
and in which quantum modes of communication are polar- 
ization bases of photons. 

5. The method according to claim 4 in which the trans- 
mitter encodes each photon signal in one of the following 60 
four polarizations: horizontal, vertical, 45-degree and 135- 
degree and the receiver decodes each photon signal along 
either the rectilinear or diagonal bases. 

6. The method according to claim 5 in which the four 
polarizations: horizontal, vertical, 45-degree and 135-degree 65 
are used by the transmitter with probabilities p i9 p 2 , P3, and 
P4 (Pi-*P2-4>3+P4=l) where p 3 +p 4 ^0.2 or 10.8 and the 
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receiver decodes each photon signal along the rectilinear and 
diagonal bases with probabilities l-p d and p d where p d =z 0.2 
or 10.8. 

7. The method according to claim 6 in which pi=p 2 an( * 

P3=P4- 

8. The method according to claim 7 in which pj=2p 3 . 

9. The method according to claim 4 in which the trans- 
mitter encodes each photon signal in one of the six polar- 
izations: horizontal, vertical, 45-degree, 135-degree, right- 
circular and left-circular. 

10. The method according to claim 1 in which pairs of 
non-local correlated photons are used as signals. 

11. The method according to claim 1 in which photon 
signals are measured through interferometry. 

12. The method according to claim 1 in which quantum 
memories are used as signals. 

13. A cryptographic communication method employing at 
least two quantum communication modes comprising the 
steps of: 

producing a stream of quantum signals from a signal 
source; 

controlling and measuring the quantum modes of trans- 
mission of signals produced 
from said signal source to produce a transmitted stream of 
signals; 

measuring the quantum modes of reception of signals 
from said transmitted stream of signals such that the 
data that are transmitted and received in the same 
quantum communication mode are divided into more 
than one set according to the actual communication 
mode used; 

wherein an estimation of the error rate is applied to 
individual sets in order to determine the extent of 
eavesdropping. 

14. The method according to claim 13 in which, for each 
said set, a fixed number, m, of quantum signals are randomly 
sampled to estimate the error rate of each set 

15. The method according to claim 14 in which a stream 
of N photons is transmitted, each in the rectilinear and 
diagonal bases with probabilities € and 1-e, and received by 
a receiver which measures the polarizations along the rec- 
tilinear and diagonal bases with probabilities c' and 
wherein 

Nee'&m. 

16. The method according to claim 15 wherein e=e\ 

17. The method according to claim 13 in which the 
transmitted stream of signals are photons and in which the 
polarization bases of photons are used as the quantum modes 
of communication. 

18. Hie method according to claim 13 in which pairs of 
non-local correlated photons are used as signals. 

19. The method according to claim 13 in which single 
photon signals are analyzed through interferometry. 

20. The method according to claim 13 in which quantum 
memories are used as signals. 

21. A cryptographic communication system employing at 
least two quantum communication modes comprising: 

a source for producing a stream of quantum signals; 
transmitter means for controlling and measuring the quan- 
tum modes of transmission of signals produced from 
said signal source; 
receiver means for measuring the quantum modes of 
reception of signals from said transmitted stream of 
signals, 
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wherein the quantum mode of transmission matches the 
quantum mode of reception for at least 68 percent of 
said transmitted stream of signals thereby reducing the 
amount of data discarded. 

22. The system of claim 21 wherein the quantum mode of 5 
transmission matches the quantum mode of reception for at 
least 82 percent of said transmitted stream of signals. 

23. A cryptographic communication system employing at 
least two quantum communication modes comprising: 

a source for producing a stream of quantum signals; 10 
transmitter means for controlling and measuring the quan- 
tum modes of transmission of signals produced from 
said signal source; 
receiver means for measuring the quantum modes of 15 
reception of signals from said transmitted stream of 
signals, 

wherein the data that are transmitted and received in the 
same quantum communication mode are divided into at 
least two sets according to the actual communication 20 
mode used and an estimation of error is applied to at 
least two of said individual sets in order to determine 
the extent of eavesdropping. 

24. A cryptographic system employing at least one quan- 
tum channel comprising: 
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a proton source for producing a proton stream; 

a transmitter means for selectively controlling the polarity 
of the protons transmitted from said proton stream, 
wherein there are at least N protons in said stream and 
there is a probability e that they are in a given polarity; 

receiver means for receiving and measuring the polarity 
of protons sent by said transmitter means and sampling 
m of them and there is a probability € that they are in 
the same polarity, 

wherein the mode of measurement of the m photons are 
compared with the mode of transmission and wherein 



and 



25. The system of claim 24 where e^O.l. 



***** 
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